/srv/irclogs.ubuntu.com/2011/12/02/#ubuntu-server.txt

jetolecan someone think of a good name to give to someone who specializes in both high availability and disaster recovery?00:04
jmedinamaster?00:05
ersi"Jedi"00:06
jetoleI like Jedi but I am thinking for a help wanted ad00:06
jetolepresence availability architect?00:07
jetolelol00:07
jmedinajust use his nick XD00:07
JanCHA & DR sound like opposite goals  ;)00:12
JanCwell, opposite sources maybe  ;)00:12
JanCjetole: maybe "wanted: Jedi" (to attract attention) is a good title (with the qualities of HA & disaster recovery listed in smaller print)00:14
JanCalthough I think you might be looking for a white knight, and maybe two people who can do one of those well will be cheaper combined  ;)00:16
jetoleJanC: I already broke the one person the boss asked for into three00:33
jetolelol00:33
jetolebut thanks for the idea00:33
=== cloakable_ is now known as cloakable
mgwanybody here know kerberos? #kerberos channel seems to be pretty inactive00:50
uvirtbotNew bug: #401107 in xorg-server (main) "Software runs as root" [Wishlist,Won't fix] https://launchpad.net/bugs/40110700:51
SpamapSmgw: maybe its because kerberos is so awesome, it just configures itself. ;)01:15
mgwSpamapS : definitely01:15
mgwit's the most intuitive, user friendly system.. since ldap01:15
mgwWhich is why they work so nicely together01:16
mgwDo you have much experience with it?01:16
mgwin particular kerberos+ldap01:16
SpamapSmgw: no I've never fully experienced the shimmering beauty of kerberos+ldap without the glorious addition of Microsoft's AD on top of it. ;)01:17
mgwah, i'm sure that makes it so much easier ;-)01:17
twb#kerberos has a hard-on for AD anyway01:17
twbThey aren't interested in helping MS haters01:18
mgwIs there a better alternative?01:18
twbmgw: AFAIK kerberos is the only secure way to run a network filesystem, for example01:18
twbmgw: but hey, if you trust your LAN, it doesn't matter so much01:19
mgwwe're using it for user auth01:19
mgwsupposedly ldap alone isn't so great01:19
twbmgw: FWIW I use a homogeneous openldap network with ldaps and slapo-ppolicy(5), which is OK01:19
twbI wouldn't run ldap-only in the conventional layout, where root on the client machines has read access to the password hashes01:20
twbNot in a security-sensitive network, anyway.01:20
mgwok01:21
twbBroadly speaking if you aren't using TGTs (i.e. kerberos), you can either have everyone send cleartext passwords (over TLS) all the way back to the LDAP server, OR you can have the individual authenticators get the hash from the LDAP server and then compare it to the password themselves01:24
twbThe latter approach means the password is never transmitted cleartext (over TLS) over the wire, but IMO it's better to trust TLS than to trust whatever lowest-common-denominator hashing algo you can get all the authenicators to sign off on, since that's probably MD5 or worse01:25
SpamapSoi.. mysql cluster server and mysql 5.5 just don't want to play together01:27
mgwtwb: I'll stick with kerberos, but I need to figure out where this syntax error is coming from while initializing the realm01:30
twbmgw: oh sorry, didn't realize you already had krb01:31
twbmgw: what's the error?01:31
mgwkdb5_ldap_util: Invalid syntax while creating realm 'FOO'01:33
mgwkdb5_ldap_util create -s -D cn=admin,dc=foo -H ldap://127.0.0.101:33
twbHum01:33
twb-H ldapi:/// ?01:33
mgwtried that too01:34
mgwi'm successfully authenticating either way01:34
twbThat's probably not the actual problem tho, it's just better to use a socket if you've got it01:34
twbk01:34
twbIncidentally I use o=Company instead of dc=foo,dc=bar,dc=baz because the former is shorter :-)01:34
mgwYou will be prompted for the database Master Password.01:35
mgwIt is important that you NOT FORGET this password.01:35
mgwEnter KDC database master key:01:35
mgwRe-enter KDC database master key to verify:01:35
twbmgw: if you have a multi-line transcript, pastebin it01:36
mgwhttps://gist.github.com/ce3013240c5abb9d240b01:39
mgwshall I paste my krb5.conf too?01:39
mgwhttps://gist.github.com/9662de14724a0526bd7701:40
mgwtwb: ^01:41
twbI can't see what's wrong there01:45
twbExcept maybe [domain_realm]is supposed to be [FOO] or something?01:45
twbNo I'm thinking of line 8, FOO=01:45
mgwtwb: i've got it working fine on another sandbox, and I can't see anything significant different01:50
twbkrb likes to be magic wrt DNS -> krb domain01:51
twbMaybe the DNS settings are slightly different, or e.g. "hostname --fqdn" doesn't give the same thing -- something like that01:52
=== Ursinha-lunch is now known as Ursinha
mgwmy fqdn is admin02.xxx.internal01:57
RoAkSoAx.win 1102:36
twbRoAkSoAx: bzzt, I'm not irssi02:36
RoAkSoAxlol02:37
uvirtbotNew bug: #898927 in apache2 (main) "apache2-mpm-prefork+mod_perl crashes on start" [Undecided,New] https://launchpad.net/bugs/89892702:55
philipballewQuestion: Where is a good guide on setting up my own vpn server?03:29
jeeves_mosscan someone reccomend me a good "howto" for setting up master/slave Bind9 servers?03:30
qman__philipballew, the server guide03:31
philipballew!vpn03:31
ubottuFor more information on vpn please refer to https://wiki.ubuntu.com/VPN03:31
qman__https://help.ubuntu.com/10.04/serverguide/C/openvpn.html03:31
philipballewqman__, thanks. This looks easy enough03:32
qman__as long as you're vaguely familiar with generating certificates, it is03:32
qman__there's a few choices to make like tap/tun, routed/bridged03:33
qman__and some networks require pushing extra routes or whatever, but it's pretty simple03:33
philipballewi have never set up a vpn before03:33
philipballewBut I have done RSA ssh keys before03:34
patdk-lapyou can use openvpn to make just about anything03:34
patdk-lapthe biggest advantage of it is, no mtu limits, vs other vpn methods03:34
patdk-lapit can also be a disadvantage, but easy to compensate for if you want03:35
philipballewpatdk-lap, what does that mean?03:35
qman__IMO the biggest advantage is ease of use03:35
qman__runs on single port, clients with GUI for windows and linux03:35
patdk-lapqman__, ya, and it's easier to use cause of the lack of mtu limit03:35
patdk-laphmm, I have never seen gui clients for it03:36
patdk-lapI know they made that shell wrapper for it on windows03:36
qman__has a module for network-manager-gnome, and there's the openVPN GUI for windows03:36
patdk-lapthose all just wrap the commandline thing though03:37
qman__installed by default on ubuntu now, makes it real easy03:37
patdk-lapwindows is still a pain though, have to set, run as admin03:37
qman__yeah, UAC puts a hitch in03:38
qman__but there's also the option of enabling the service for an automatic connection in the background03:38
qman__just with the GUI could communicate with it03:38
qman__wish*03:38
philipballewSo I cant change the port it uses>03:38
philipballew?03:38
qman__you can03:38
qman__1194 is just the default03:39
patdk-laplots of people use 44303:39
philipballewalright. ill need to see if i can open that remotely03:39
patdk-lapI have mine setup to try a udp port first, then fallback to 443 tcp03:39
qman__it can run over tcp, but udp is the default, and bridge mode only works over udp03:39
patdk-lapqman, not true03:40
patdk-lapeverything about openvpn works no matter what it's over03:40
patdk-lapbe it udp or tcp03:40
qman__recent change? all the documentation I read said as such03:40
patdk-lapthe issue with tcp comes with tcp inside of tcp03:40
patdk-lapwell, it will work, defently won't be optimal03:40
patdk-lapcause packets that are made to have loss, and stuff, will retry over tcp forever basically03:41
qman__mine at home is set as a bridge over a tap device03:41
patdk-lapI rarely use bridge mode, I don't see the point03:41
patdk-lapwhy do I want broadcast/multicast traffi hogging the vpn03:42
qman__I use it to connect wireless clients to the LAN, as my wireless APs are on a different network03:42
qman__operating a public wifi here03:42
qman__while not absolutely needed, it's convenient for games and printers and other weird and/or old software03:43
patdk-lapwell, if it's local, that is one thing03:43
patdk-lapI was thinking normal vpn usage, at crappy hotel/hotspot03:43
qman__I use it from the internet too, but that's where the majority of the use is03:43
philipballewSo after I make all the keys I'll need to move the privite one to my desktop huh?03:44
qman__no03:44
patdk-lapna03:44
patdk-lapyou need the private/public + ca03:45
qman__you need to copy the CA certificate and the client key and certificate03:45
qman__the server key stays on the server only03:45
patdk-lapthe private one is the only one that must be secured though03:45
patdk-lapboth for the server and clients03:45
philipballewwell I will do all this on my server and then ill have a key i need to use to connect to the vpn with correct?03:45
qman__correct03:46
qman__you will need four files for the client03:46
qman__CA cert, client cert, client key, openvpn config03:46
qman__the client key is confidential to the client and should be transmitted securely and kept private03:46
patdk-lapand maybe a tls key03:46
patdk-lapor what do they call it, for the dh03:46
philipballewill use sftp or ssh03:46
qman__both certs are safe to post publicly, the config technically could be but you probably don't want to03:47
philipballewhttps://help.ubuntu.com/10.04/serverguide/C/openvpn.html under client certificates is what I enter into my desktop then?03:47
qman__yes03:48
qman__my setup doesn't have a ta.key03:48
patdk-lapah, the tls-auth dh stuff03:48
qman__I didn't have pkitool either03:49
patdk-lapit's really only useful if someone dos/ddos you03:49
qman__looks like it makes it easier to add clients03:49
patdk-lapI'm using easypki I think, that is pretty painless03:49
philipballewso03:49
philipballewcd /etc/openvpn/easy-rsa/03:49
philipballewsource vars03:49
philipballew./pkitool hostname03:49
qman__mine I just look up my history and grab the openssl commands03:50
patdk-lap. ./vars03:50
philipballewshould be entered into my desktop and not the server?03:50
qman__no03:50
qman__all of that is done on the server03:50
philipballewokay03:50
qman__you simply copy the resulting files to the desktop03:50
philipballewah, alright03:50
qman__my VPN server was set up with and still runs 8.0403:51
qman__so it was a little different03:51
philipballewqman__, Mines 10.0403:52
patdk-lapI just upgraded my main firewall/vpn hub server 2 weeks ago from 8.04 xen domu to 10.0403:52
patdk-lapjust did an rsync, and it was running :)03:52
patdk-lapfreaking iptables on that machine has over 3k lines03:53
qman__ha03:53
patdk-lapit has 14 interfaces03:53
qman__I've got a little script on mine to handle port forwarding, 4 interfaces03:53
patdk-lapoh, this is no nat at all, or port forwardings03:54
patdk-lapjust access restrictions between interfaces03:54
qman__heh03:55
philipballewso with what im setting up i need to have Bridging enabled as well?03:55
qman__I just have the house LAN, cordoned off wifi with internet-only access, and restricted LAN for the business point of sale machines03:55
qman__put the script together because I used to be on DHCP, so I had to make it easier when the IP would change03:56
=== bladernr_ is now known as bladernr_afk
=== ben_ is now known as utlemming_home
=== nonotza_ is now known as nonotza
=== TeTeT_ is now known as TeTeT
=== jibel_ is now known as jibel
=== gema_afk is now known as gema
jamespagemorning all08:50
=== jodh is now known as jodh_
Randolphhi all09:01
lynxmanjamespage: morning o/09:16
uvirtbotNew bug: #819251 in dbconfig-common (main) "package phpmyadmin 4:3.3.10-1 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 10" [Undecided,Confirmed] https://launchpad.net/bugs/81925109:41
=== smw is now known as Guest32774
koolhead11hi all10:44
* uksysadmin feels sorry for koolhead11 as nobody is saying hi10:50
uksysadminhi koolhead1110:50
koolhead11hey uksysadmin :D10:53
uksysadminwhen pxe booting precise from orchstra - I presume that glaringly big bug of having no feedback during install apart from tailing the logs on the orchestra server is a known one?10:57
koolhead11uksysadmin: best answer will be check at launchpad and see if its there11:00
koolhead11if not file one :P11:00
uksysadminI'm not entirely sure what bug I'm filing - whether its a bug in Orchestra, a bug in Precise installation, or whatever the pxe boot image I'm using11:01
uksysadmincertainly can't find a bug related to it11:01
koolhead11uksysadmin: so orchestra works without error when u using onekenthomas11:03
koolhead11oops11:03
koolhead11oneiric11:03
uksysadminyes - I can pxe boot stuff in Orchestra in Oneiric  and do some stuff11:04
uksysadminI've just done a fresh install of Precise, updated and install Orchestra11:04
uksysadminBooting a machine using it and during the package installation the screen is just black11:04
koolhead11uksysadmin: i am not sure if precise is currently even in alpha or not11:04
uksysadmintailing the logs on orchestra I see it doing deboostrap stuff etc11:04
uksysadminits alpha-111:04
uksysadminI'm aware of it being buggy - but do Ubuntu devs want to know about this stuff?11:05
uksysadminits the difference between known issues and unknown ones11:05
koolhead11uksysadmin: file a bug then. what are you waiting for?11:09
koolhead11linking it to precious alpha :D11:09
uksysadminlol ok ok ;-)11:17
uksysadminThere - someone will reply "You're expecting an alpha-1 release of some software booting more pre-alpha code and you expect what?" ;-)11:23
* koolhead11 kicks uksysadmin 11:24
* koolhead11 wonders if eveyone is having beer early weekend today11:24
uksysadminin 30 mins, yes...11:27
uksysadminIt's Friday - thought it was the law to go the pub at lunch?11:28
koolhead11well i have 3 more hours at work11:28
uksysadminpub 30 mins, 1 hour lunch, 3 hours left, then I'm off for a week :)11:29
=== funkyHat2 is now known as funkyHat
jamespageDaviey: can I get a second opinion on SRU'worthness of bug 65943911:54
uvirtbotLaunchpad bug 659439 in rsyslog "Installing rsyslog-mysql on 10.04 installs mysql-server by default" [Medium,Confirmed] https://launchpad.net/bugs/65943911:54
Davieyjamespage: right, so some people will be using it together.12:07
DavieyIf they didn't install mysql-server, they'd have a working setup now..12:07
DavieyIf it gets dropped from a Recommends to Suggests, for example, it would be freed up for removal as an update12:08
jamespageDaviey: well they would have that problem on release upgrade anyway12:12
Davieyjamespage: Hmm, i'd say the fact that people can work around it by doing, apt-get --no-install-recommends install rsyslog-mysql , says to me that it isn't High Impact enough.12:14
jamespageDaviey: I tend to agree12:15
Daviey(i'd say also, not obviously safe.)12:15
DavieyI mean, you might expect something to go wrong between distro upgrades, but not sru updates.12:16
jamespageyeah - agreed; I'll mark that as won't fix and comment appropriately12:16
Davieyjamespage: I'm not blocking it, you understand.. Just the verification process work involved, and potential excitement of breaking systems concerns me.12:18
jamespageDaviey: gotcha12:21
`-`#ubuntu ops are nazi fags. please remember to use your brain not that other bit of the anatomy the #ubuntu team appears to think is best.12:38
jamiemillI need some aws help but ##aws is a bit sleepy. I'm going mad trying to work out why an ELB healthcheck is failing. When I curl the page via {public DNS}:80{healthcheck URL} I get a perfectly fine response. Why could it be?12:41
onreis it TCP or HTTP healthcheck?12:42
onreand if it's HTTP, what status code do you get for your response?12:42
jamiemillonre It's HTTP. I get 200 when I use curl12:48
onreif you just want to make it work right now, change it to TCP :p12:50
jamiemillok will try12:50
jamiemillonre yeah, now it says in service!12:51
onreyes :) TCP check only tries to connect to that port without any request, so if that works, it marks the instance as healthy :)12:51
zuljdstrand:  can you review the openstack in binary new today im getting some flack because of it12:52
onrei recommend, though, that you take a look at your http server logs to see whether these check requests get logged and possibly filter them away somehow12:52
onreso that you avoid having the healthcheck flooding your logs :p12:52
jamiemillonre Actually - i just checked the logs and I see "[02/Dec/2011:12:50:40 +0000] "GET / HTTP/1.1" 301 538 "-" "ELB-HealthChecker/1.0""12:54
jamiemillso there's a 301 going on12:54
onreallright!12:56
onrethat explains12:56
onrehttp statuscheck will fail if the response code is not 20012:56
onreyou might consider putting an empty test file in place and requesting that with the check12:56
onreor something similar12:56
onrepossibly a piece of code that checks for db connectivity etc12:56
onreso that you get a good idea of whether your frontend instance actually is really in service, or if it only responds to port 80 :p12:57
jamiemillonre It's a shame I can't actually see the headers from the last healthcheck. then i'd know where it's redirecting to!12:58
onrewell if you request / using curl and some verbose flag or something, you should see them?12:58
jamiemillonre Yeah but using curl, I was getting 200, not 301.12:59
onreyes but curl probably didn't show you the redirect phase13:00
jamiemillonre This is a wordpress site so maybe it's PHP redirecting, not apache. I'm trying a plain HTML file in the docroot now as the target13:00
jamiemillah13:00
onrebut instead only gave you the "end result" of the redirect13:00
jamiemillonre No actually I think I am seeing the truth, I was using curl -I to just get the headers13:01
jamiemillOK looks like using a plain html file is working. before I was requesting a wordpress page, so god knows what was going on. so many plugins etc13:02
onreoh yeah :)13:04
jamiemillonre Thanks a million. Looking in the logs was the clue i needed :-)13:04
onreno prob :p13:05
onresuccess by accident13:05
afeijohow to delete files older than 30 days? I try find -atime +30 | ls -laht, but it returns all files13:10
afeijoI mean -ctime param13:10
patdk-wkwhy ctime?13:10
patdk-wkctime = creation time13:10
afeijoyes, I want to delete old files ...13:10
patdk-wkatime = access time13:10
patdk-wkmtime = modification time13:10
afeijothose files are logs13:10
patdk-wknormally a file isn't OLD if it was created awhile ago, but updated today13:10
afeijono access nor moditifation13:10
patdk-wkall files have all 3 times13:11
patdk-wkdunno, I always use mtime :)13:11
patdk-wkoh ya, doesn't time = minutes? not days13:11
afeijook, I try with mtime +30, it still returns today files?13:11
patdk-wkna, time = days, mmin = minutes :)13:11
patdk-wkworks for me13:12
patdk-wkfind . -mtime +1 -delete13:12
memoryleakHi. I have following errors when using apt-get: http://pastie.org/295479713:13
afeijopatdk-wk, thanks, it worked13:13
memoryleakI tried many tips from the internet, dpkg-reconfigure locale, export LC_* in .bashrc none of it helped permanently13:14
patdk-wkafeijo, I bet your logs contain several days of stuff, and that is why ctime isn't working, cause the log was made several days ago13:14
patdk-wkdefault is 1week per log file13:14
afeijofind | ls -lah output weird results tho13:14
patdk-wkwhy wouldn't it be?13:15
afeijono idea13:15
andolpatdk-wk: Well, isn't ctime really short for change time, and not create time?13:15
patdk-wktry, find . -mtime +5 -ls13:15
patdk-wkno, ctime = creation, mtime = modification/change13:15
patdk-wkdon't you know how to use man find?13:15
afeijo:$ I will13:16
andolpatdk-wk: Well, in my book ctime counts when the underlaying inode was most recently changed, which of course in my cases happended during the file's creation.13:18
patdk-wkheh? what manual did you read that defined it like that? it's always been creation time, according to stat13:18
patdk-wkhmm, maybe by change they mean inode change13:19
patdk-wknoticing it says change also, my history it was always creation13:20
andolpatdk-wk: Trying doing something like chmod on a file, and see what it does to your ctime.13:20
patdk-wkthat would update the inode13:21
andolpatdk-wk: Exactly13:21
patdk-wkand I'm guessing that is what it means, time since last inode change13:21
patdk-wkbut then, my history of this comes from the 80's13:21
andolDuring the 80's I hadn't even heard about ctime, or mtime either for that matter :)13:22
patdk-wkused to it being called creation, but ya, that is since inode changed13:22
zulgood morning13:55
mgwzul: good morning13:56
=== bladernr_afk is now known as bladernr_
uvirtbotNew bug: #899173 in sysstat (main) "iostat/kernel  output for dm devices broken" [Undecided,New] https://launchpad.net/bugs/89917314:16
* koolhead11 needs some cyber-cake 14:33
* koolhead11 heard people are having party tonight14:34
hallynzul: bug 372001, do you have any objection to my pushing a patch to have libvirt upgrades not install /etc/libvirt/qemu/networks/autostart/default.xml ?14:54
uvirtbotLaunchpad bug 372001 in libvirt "default network autostart symlink recreated" [Low,Triaged] https://launchpad.net/bugs/37200114:54
mgwanybody know of utility scripts to both add a principle vi kadmin and add the user to ldap?14:54
mgwas well as delete14:55
zulhallyn: im good with it14:55
hallynthx - did you have any other changes to queue up?14:55
SpamapSoh mysql.. why must you hard code /etc/mysql in your code base?15:04
* SpamapS shakes mysql-cluster-7.0 like a polaroid picture15:04
zulSpamapS: welcome to hell population you15:05
zulhallyn: nope15:05
SpamapSzul: your support is appreciated Mr. Demon ;)15:05
zulheh i liked it when homer goes to hell and his punishment was to eat all the donoughts in the world15:06
lynxmanSpamapS: hardcoding paths, the way of the future... not15:08
SpamapSlynxman: hardcoding paths is webscale15:09
lynxmanSpamapS: it's totally webscale, it has scaling juice written all over it15:09
zulSpamapS: i think the libmyslclient is bit different in mysql-cluser as well fyi15:10
SpamapSzul: its not15:17
SpamapSzul: all special sauce is confined to libndbclient15:18
zulSpamapS: cool15:18
SpamapSzul: I'm slicing mysql-cluster-7.0 down to just the server15:18
zuli would just rather drop mysql-cluser all together myself but thats another matter15:18
zulSpamapS: gotcha15:18
SpamapSzul: but unfortunately, it doesn't understand 5.5's my.cnf .. so have to *not* read /etc/mysql/my.cnf15:19
SpamapSeasy enough, I'm patching that to be /etc/mysql-cluster15:19
zulSpamapS: hah hah...15:19
fly_80hi to all15:34
fly_80i installed imagemagick on a new ubuntu server... when trying to use convert, i got an error15:35
fly_80convert: no decode delegate for this image format `/tmp/magick-daFyRHfn' @ error/constitute.c/ReadImage/566.15:35
fly_80what does it mean? i missed some lib?15:35
SpamapSinteresting... mysql cluster 7.2 will be mysql 5.5 based..15:38
SpamapSI wonder if it will be GA by April.. might be worth moving to it15:40
SpamapSreally screws everything up that libmysqlclient and mysqld have to share the same stupid config file15:44
ikoniaSpamapS: are you sure on that15:46
hallynjdstrand:  have you had any time to look at the (tiny) patch on bug 869553 ?15:46
uvirtbotLaunchpad bug 869553 in libvirt "Apparmor prevents KVM tunnelled migration" [High,Confirmed] https://launchpad.net/bugs/86955315:46
hallynI'd like to push it along with the fix for bug 37200115:47
uvirtbotLaunchpad bug 372001 in libvirt "default network autostart symlink recreated" [Low,Triaged] https://launchpad.net/bugs/37200115:47
SpamapSikonia: sure on what? that libmysqlclient and mysqld have the same config file? yes I'm certain they both read /etc/mysql/my.cnf15:50
SpamapSikonia: that they read different sections is only a consolation prize15:50
ikoniaSpamapS: I thought you could seperate out client/server options in my.cnf though15:50
hallyneh, nm, i'll push the one for now15:54
SpamapSikonia: yes you can, but that doesn't matter because the [mysqld] for mysql-server 5.5 break mysql-cluster-server-5.1, and both have to use /etc/mysql/my.cnf15:58
ikoniain what way does it break it ?15:59
* Daviey spies Horizon in NEW queue16:07
Daviey(nice one zul)16:09
zulDaviey: hopefully it will get out of there today16:09
* zul reminds himself to help jdstrand drunk in budapest16:12
Davieyheh16:13
Davieyzul: I haven't looked, but are you handling the rename from dashboard?16:14
zuli will when it gets through16:15
Davieyrocking16:15
hallynDaviey: pushing netcf today?16:18
Davieyhallyn: on it16:19
hallyn\o/16:20
Davieyhallyn: done, wedged in NEW queue16:24
Daviey(just wait now)16:24
smoserzul, were you going to send something to boto on connect_nova ?16:50
smoseror connect_ec2_endpoint16:50
tgardnerjamespage, how do I twiddle cobbler so that I can get a Precise ISO as one of the PXE install choices? is it by editing the profiles from the cobbler_web/profile/list menu ?16:55
jamespagetgardner: its a bit more involved than that16:57
* jamespage digs for docs...16:57
smosertgardner, try cobbler-ubuntu-import16:59
smosersee its usage16:59
tgardnersmoser, cool, thanks.17:00
tgardnerjamespage, ^^ I can likely figure it out from here.17:00
jamespagesmoser,tgardner:: might need a tweak to work on oneiric for precise; I had to hack the cobbler import process on aldebaran todo that (not elegnant but works)17:01
smoseroh? jamespage ?17:02
jamespagesmoser: yeah - I found that yesterday17:02
* jamespage looks at his notes17:02
jamespagesmoser: --os-version=precise is not recognised as a supported release in cobbler on oneiric.17:04
jamespagefor cobbler import xxxx that is17:04
RoAkSoAxjamespage: SRU :)17:05
jamespageRoAkSoAx, agreed17:05
smoserwho had/has the hard coced list ?17:06
smosercoded even.17:06
jamespagehrm - cobbler does - codes.py and manage_import_debian_ubuntu.py have lists of recognised releases for ubuntu17:06
smoserand when we fix, please fix with: ubuntu-distro-info --supported17:07
smoseras that (i think) will get SRU'd17:07
jamespagelemme report the bug at least17:07
tgardnerjamespage, please lemme know what the bug number is so that I can follow it.17:08
RoAkSoAxjamespage: gonna prepare the SRU then17:09
jamespageRoAkSoAx: I'll stick it on my list :-)17:10
jamespagesmoser: the orchestra script that imports the mini iso does that17:11
smoserjamespage, does what ?17:12
jamespageuses ubuntu-distro-info --supported17:12
smoseroh. uses that tool.17:12
smoserright.17:12
smoserso we need to make coces.py and/or manage_import_debian_ubuntu.py do it aslo17:13
RoAkSoAxjjajaq!17:13
RoAkSoAxbaaah17:14
koolhead17hi all17:14
jamespagesmoser: well maybe17:14
RoAkSoAxsmoser: I don't agree with you because other distros do no have ubuntu-distro-info --supported17:14
jamespagewhat is someone wants to deploy an unsupported distro version?17:15
smoserwell, that would be a ubuntu patch then :)17:15
RoAkSoAxsmoser: but we could make use of it, and if doesn't exists, fallback to the real list17:15
smoserbut either way, can "if available use it, otherwise hard coded list"17:15
smoserthe list of ubuntu releases is stupidly hard coded *way* too many places. we need to not have that.17:15
RoAkSoAxsmoser: yeah17:16
hallynzul: another tiny q (you are my libvirt sanity check :)  - do you see any reason not to add a Suggests: cgroup-lite | cgroup-bin to libvirt-bin?17:17
RoAkSoAxsmoser: well that's precise, for oneiric I'll just hardcode the release17:17
jamespagetgardner, RoAkSoAx, smoser: bug 89927617:17
uvirtbotLaunchpad bug 899276 in cobbler "Release versions of cobbler don't automatically support the next development release" [Undecided,New] https://launchpad.net/bugs/89927617:17
RoAkSoAxjamespage: what/'s the bug number?17:18
tgardnerjamespage, thanks17:18
smoserugh. roaksoax, if you hard code the release for oneiric, then you'll have to touch it again in 6 months.17:21
jamespagesmoser: ubuntu-distro-info --all would be better17:23
smoserright.17:23
smoserits argubable if you should complain about "not supported, sorry" or not17:24
smoserbut i dont really care either way17:24
RoAkSoAxI think it should only be the supported ones17:25
zulhallyn: no reason17:30
RoAkSoAxjamespage: fix uploaded17:38
smoserRoAkSoAx, the reason you would want more than just --supported, is in this case the person has provided you with a CD17:42
smoserso, its fairly clear they're interested in using the release they tell you they want to use.17:42
smoserits not like they were just asking cobbler "which release do you think i should install?"17:43
RoAkSoAxsmoser: right, but for unsupported releases, the archives wont work (they would have to change to old-releases.etc.etc)17:46
jdstrandhallyn: sorry for the delay, I will take a look at it now. got tied up with a bunch of other stuff17:46
RoAkSoAxsmoser: so that means they would have to do lots of tweaking17:46
smoserstill not cobbler's decision to make, really.17:46
RoAkSoAxsmoser: but either way, we should only support those supported releases17:46
smoserRoAkSoAx, if you provide cobbler with a full ISO of an old release, an insall should actually work17:47
smoserright?17:47
smoserit should install and boot just fine. thats really all cobbler is going to do anyway.17:48
RoAkSoAxsmoser: yeah but you need to modify the preseed to use the imported ISO as mirror17:57
smoserassuming you're using a preseed.17:57
smoser:)17:57
smoserbasically i dont' see any good reason to be annoying at "cobbler-import" time.17:58
RoAkSoAxsmoser: yeah I agree17:58
RoAkSoAxsmoser: but my point being is that makes no sense for someone to import a CD into cobbler of a non-supported release17:58
smoserthat is their choice.17:58
RoAkSoAxcause in order to be able to install they will either need to point to old-releases or the local mirror of the imported CD in cobbler17:59
smosermaybe they're trying to reproduce a bug on karmic17:59
RoAkSoAxand that means modify the defaults from the preseed17:59
smoserthere are lots of reasons to do such things.17:59
smoserthere is no reason at cobbler-import time to make someone's life harder than it is.17:59
smoserthey're probably aware (or will find out soon) that this release is not supported.18:00
RoAkSoAxsmoser: right, but cobbler-import iwll not download and import an un-supported release, will it?18:00
RoAkSoAxsmoser: I think it shouldn't18:00
smosercobbler-import probably would not. as the urls would probably break.18:01
RoAkSoAxsmoser: exactly18:01
smoserwait... cobbler-import is fed an ISO.18:01
smosercobbler-ubuntu-import downloads cds.18:01
smosercobbler-ubuntu-import will fail if they're using that.18:01
RoAkSoAxsmoser: yesmodownloads all the supported ones18:02
smoserbut if they get past that, and download a cd of an unsupported distro, theres erally no point to tell them "YOU CANT DO THAT"18:02
smoserso cobbler-import (as opposed to cobbler-ubuntu-import) should not complain about unsupported release.18:02
smoserso the "known releases" values in cobbler itself should not be limited to the current definition of supported.18:03
RoAkSoAxsmoser: smos/me/me rebooting the router.. this is just way to slow18:03
jdstrandhallyn: commented18:04
RoAkSoAxsmoser: right, cobbler-ubuntu-import should only import supported18:09
RoAkSoAxsmoser: and if anyone wants to imported something not supported to cobbler is up to them18:09
hallynjdstrand: thanks18:19
jdstrandI closed out the sdl one too18:19
hallyngreat18:20
hallynand away it goes18:59
adam_gzul: any idea why, when doing a 'bzr bd -S' on the nova package tree, dh_auto_clean fails because i dont have python-eventlet installed?19:38
zuladam_g: thats new to me19:38
adam_ghmm19:40
jdstrandzul: quantum accepted with this bug #89935219:44
uvirtbotLaunchpad bug 899352 in quantum "packaging issues" [Undecided,New] https://launchpad.net/bugs/89935219:44
zuljdstrand: cool thanks19:45
zulnext.. :)19:45
jdstrandyes19:45
stgraberhallyn: ping, where's the meeting?20:02
hallynstgraber: doh!  right here I guess :)  (i'd forgotten, thanks for the ping)20:02
hallynjjohansen: around?20:03
jjohansenhallyn: yep20:03
jjohansenhallyn: aren't you off today?20:03
hallyni don't think so.20:04
hallynACTION checks20:04
jjohansenhallyn: oh, okay Daviey was asking that question last night20:04
hallynthere was a snafu with my holiday scheduling (caused by me)20:04
jjohansenah20:04
hallynyeah it was removed from admin but not the calendar apparently.  oops.20:05
hallyn(not that i'd mind)20:05
hallynok, so frankly i'm not quite sure where to start.20:05
hallynjjohansen: do you have any updates on the apparmor work this cycle?20:06
hallyn(as pertains to lxc)20:06
jjohansenhallyn: sure20:06
jjohansenso we split the work out into what is essential, and high priority etc20:07
jjohansenthe essential bits are the fake stacking and the base permission rework, and I think mount rules20:07
* jjohansen needs to find the blue prints20:08
jjohansenanyway I have been working on the fake stack, I wanted it to be done this week, but I am still fixing bugs20:08
jjohansenso hopefully next week you will be able to try it with lxc, and give me feedback20:09
hallyn(just for historical reference: http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html was last time i considered this)20:09
hallyncool20:10
hallynso that addresses a container being able to load a policy of its own, but not being subject to host policy any more, right?20:10
jjohansenthis won't have the extra mediation bits, but will allow the child to have its own profile namespace separate from the confining task20:10
hallynright20:10
jjohansenright20:10
hallynso, what about the "mount --move /proc /proc2; echo b > /proc2/sysrq-trigger" concern?20:11
jjohansenthen I need to finish up the extend permission base work, so we can add the extra mediation you need20:11
hallynis that for 12.04 then?20:11
jjohansenhallyn: at what level are you concerned, from within the container, right?20:12
hallynunless i'm misunderstanding i thought you were punting on that for 12.04 :)20:12
hallynyes20:12
stgraberjjohansen: so about "own profile namespace", what do we need to do from an upstream lxc point of view? I guess we need to change our container init code to do some magic?20:12
jjohansenhallyn: at a minimum we will have mount rules to control where the mount can go20:12
hallynah, cool20:13
hallynI need to track all this on wiki20:13
jjohansenhallyn: I would love to be able to make path rules conditional on the fs but I don't think that can make 12.04, the kernel should actually be able to do that when I am done20:13
jjohansenit will be the policy compilation bits that I am worried about completing20:13
jjohansenstgraber: yes20:14
jjohansenstgraber: basically you create the namespace you want, and tell apparmor to stack it20:14
jjohansenstgraber: I have added to simple utility programs to wrap that, or you can look at what they do and make the calls yourself20:15
jjohansenstgraber: though at least for aa-namespace I would rather you use that, as I am trying to abstract out the use of the old interface, and you will pick up the new interface once it gets added20:15
* jdstrand reads backscroll20:16
jjohansenstgraber: under the old interface you don't have control of autoremoval, or #of profiles, amount of memory it can use etc.  Under the new interface you will, very similar to setting up a C group20:16
jjohansens/C group/cgroup/20:17
stgraberhallyn: so that'd need to be added to lxc-init I'd guess and potentially add a new config option (to turn on/off) + add a build option?20:17
hallynbtw, so as far as Daviey's concern (a document on lxc security), i will create a wiki page, outline issues at top level, and mitigations at second level20:17
hallynstgraber: not lxc-init...  lxc-start ?20:17
hallynlxc-init is the fake-init for application containers (lxc-execute)20:17
stgraberhallyn: argh, right, lxc-start :)20:18
hallynstgraber: we shoul dmake sure to doc this in a blueprint...20:18
hallynjjohansen: thx for that update20:19
hallynstgraber: jjohansen: so actually i think i'll go ahead and go create the wiki, email you for comment, and we can talk thereafter?20:20
hallyn(I'm not sure I have any more questions until I think it through in a structured way)20:20
jjohansenhallyn: sounds good20:20
stgraberhallyn: sounds good. I'll attach my current apparmor profile to it too, ideally we should try to have something a bit more complete for 12.0420:20
jjohansenhallyn: I did want to run past you how we are looking at structuring policy for this20:20
hallynjjohansen: ah, ok (listening :)20:21
jdstrandhallyn, stgraber: fyi, we are tracking these bits in https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers and https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework, which is part of the http://status.ubuntu.com/ubuntu-precise/group/topic-precise-arm-server.html topic20:21
jjohansenhallyn, stgraber: it is going to require doing somethings a little different, but it comes out of talking to viro20:21
jjohansenbasically the idea is that you split the profile into two functional bits, the setup phase and the mediation of the container.  Paths in the setup profile are relative to the original root, and paths in the mediation profile are based on the container namespace20:23
jjohansenfor disconnected files, the mediation is based off of the implicit labeling20:23
jjohansenor maybe delegation, but I can't see the delegation bits being ready for 12.0420:24
hallynimplicit labeling?20:24
jjohansenhallyn: when a task opens an fd it labels it with its current label20:25
hallynoh, ok.20:25
hallynand that bit is new right?20:25
hallynoh, no.  nm.  i was working around userspace.20:25
jjohansenyes and no, we have always done that but we have been planning on extending it, and will do the bits we need for containers20:26
hallynok, so we'll have mount controls to lock cgroups and proc/sys into place;  maybe cgroup virtual roots (doubtful);  and maybe seccomp2 to lock out some syscalls.20:29
hallynthis isn't looking too bad20:29
hallynjjohansen: thanks, anything else?20:31
jdstrands20:31
jjohansenhallyn: I think that is it for now20:31
hallynjjohansen: great, thanks.  i'll work on that wiki over the next few days and email you and stgraber20:32
stgraberjjohansen: thanks20:32
adam_gzul: i tagged you as a reviewer for a quick merge into lp:ubuntu/nova20:36
zuladam_g: yay! thanks20:37
dknwhy can i ssh into my server from one VM using - u username ssh hostname but i can't do it from another? both have their rsa public keys in the username authorized_keys folder but one asks me for a password when i log in?20:43
jdstrandzul: openstack-common accepted21:04
zulhurray for small miracles21:05
jdstrandheh21:05
hallynsmoser: do you know/recall why windows on euca needs a separate boot disk?  (as reported by various blogs)21:32
smoserumm... windows is silly ? and euca wasn't designed for that ?21:33
smoserbut seriously, it probably has to do with how an ami (amazon machine image, the format of disk that you uplod to amazon) are used.21:34
hallynis it still necessary on openstack? is what i think the q is :)21:34
smoserfor instance-store images, you upload a partition image21:34
smoserthen, the cloud provider (euca or ec2) take that and some magic to turn it into a disk image (with a partition ttable)21:34
smoserthey never try to boot it by booting the MBR21:35
smoserso you just can't let windows boot itself21:35
hallynsmoser: ok, thanks21:35
smoseron openstack, though, if you boot an instance without a kernel and ramdisk (ari/aki), then openstack just tries to let the disk boot itself21:35
smoserso we publish "full disk images" that have grub installed in them and those are the best way to boot on penstack.21:36
smosersimilar full disk images of windows shoudl/could work there21:36
smoserand euca could use a similar trick... i dont know.21:36
achiangsmoser: yeah, the euca thing is a red herring. my real goal is to boot windows on openstack somehow21:40
Davieyachiang: Have you created a windows ami?21:41
zulachiang: it should be the same as the way you do it on eucalyptus, although you will run into issues since it assumes you are running linux (injecting keys etc)21:41
achiangDaviey: no, that's what i'm trying to figure out how to do21:41
Davieyachiang: it's not something any of the ubuntu folk have tested fwiw.21:42
smoserachiang, have you tried it ?21:42
smoserit really should "just work" as much as windows can just work21:42
smoserdo an install in kvm.21:42
achiangsmoser: i'm muddling along trying to follow instructions here: http://cssoss.wordpress.com/2010/05/05/uec-windows-instance-on-lucid-lynx-hack/21:42
smosertake the disk and upload it to openstack21:42
achiangsmoser: but i guess i didn't realize that euca and openstack aren't the same thing21:42
achiangyeah, i've done the kvm installation part21:43
achiangthe "upload it to openstack" part is what i'm getting hung up on21:43
smoserwhy?21:43
achiangwell...21:43
DavieyI wonder if the qemu backing store breaks windows?21:43
smoserwindows knows nothing about it21:43
smoserits a block device21:43
achiangam i supposed to use euca-bundle-vol somehow?21:44
smoserachiang, cloud-publish-image x86_64 my-windows-i-love-bill.img my-redmond-bucket21:44
smoseryou can probably use glance commands to do the same thing. i'm not familiar with them off the top of my head. they are more direct, but i know this path well.21:44
zulsmoser: it would be a good weekend project though :)21:45
achiangsmoser: ok, and where does my-redmond-bucket come from? do i need to make it somehow?21:45
smoserno.21:45
smoserits a name. a s3 bucket that it willg et put into21:45
achianghere's a dumb question. can an openstack instance mount/boot/access a local cdrom/iso?21:46
smosertheres a thread on the mailing list21:48
smoseron that21:48
smoseri didnt follow it21:48
smoserachiang, serioulsly, just try it.21:49
zulachiang: yes it can assuming you are running Xenserver21:49
smoseri'm interested in knowing what happens.21:49
achiangsmoser: yeah, i'm just trying to frontload questions here because i have a 7GB qemu disk image and a horribly slow uplink. :-/21:50
smoserachiang, run an instance and move the image there.21:51
smoserhttps://gist.github.com/123197321:51
smoserstart an instance with that, i do it with lucid21:51
smoserand then get your creds to the instance21:51
smoserand move the 7G disk there.21:51
smoserthen you have fast network.21:51
achiangsmoser: ok, thanks for all the help. i appreciate it21:53
achiang(and thanks others, too)21:53
jdstrandzul: swauth accepted with these bugs filed: bug #899411, bug #89941021:55
uvirtbotLaunchpad bug 899411 in swauth "get-orig-source non-functional" [Undecided,New] https://launchpad.net/bugs/89941121:55
smoserdoes that gist make sense to you?21:55
uvirtbotLaunchpad bug 899410 in swauth "binaries not lintian clean" [Undecided,New] https://launchpad.net/bugs/89941021:55
zuljdstrand: thanks..21:55
zuljdstrand: i think ill be fueling your alcohol consumption next month21:56
jdstrandI will take you up on that21:56
achiangsmoser: no, the gist doesn't really make sense yet, but i'm assuming after more homework on my part it will become apparent21:58
smoserachiang, launch an instance of lucid with that gist as userdata22:00
smoser(--user-data-file=that-file)22:00
smoserthen copy your credentials there to a subdirectory named 'creds' of your hope directory22:00
smoser(ubuntu's home directory)22:00
chz|baconhey guys i'm having a heck of a time getting grub2 to install on a software raid setup22:06
chz|baconcould one of you maybe point me in the right direction. i've been reading howtos, and i still can't seem to get grub2 to install.22:07
chz|baconi have swap / and /boot partitions setup yet trying to install on /dev/sda1 (/boot) i get the same error22:08
chz|baconi also have the same error if i attempt to install on /dev/md022:09
chz|baconanyone?22:10
=== skrewler_ is now known as skrewler
hallynDaviey: so you think we need to wait a bit to MIR netcf?22:34
Davieyhallyn: I heard the Debian Maintainer was a big unreliable, what do you think?22:35
Davieys/big/bit22:35
hallyni wouldn't trust him further than i can throw him22:35
Davieyheh22:36
Davieyhallyn: What needs to depend/recommend on it?22:36
DavieyI've not look at netcf, so bit of a n00b22:36
uvirtbotNew bug: #899416 in squid (universe) "package squid 2.7.STABLE7-1ubuntu12.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/89941622:36
hallynDaviey: libvirt22:36
Davieyhallyn: what do upstream libvirt think about netcf?22:37
hallynthey wrote it :)22:37
Davieywell.. seems to be a no-brainer then :P22:37
hallynok - i'll file it on monday and see what they say :)22:38
hallyngnight22:39
Davieynn hallyn22:44
jdstrandzul: horizon finally accepted with bug #89942722:48
uvirtbotLaunchpad bug 899427 in horizon "not lintian clean" [Undecided,New] https://launchpad.net/bugs/89942722:48
Davieythanks jdstrand22:53
barcefWhat else do I need to do? Installed squid on my machine in the US, setup my src ip range and disabled X-forward-for , but hulu still says that I'm out side of the US.22:58
barcefAny ideas?22:58
=== funkyHat_ is now known as funkyHat

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!